APM session username/password vars not copied in from iRule? Not showing in session report, and auth always fails

Thank you, Amit - adding the "ACCESS::restrict_irule_events disable" didn't have any effect (in and of itself, but I left it in for your 2nd part, just in case).

I think I may be running into security restrictions on setting session.logon.last.password (" target="_blank">discussed here). I did your part 2 (though the HTTP:: vars weren't accessible in ACCESS_POLICY_AGENT_EVENT, so i had to create irule vars in ACCESS_SESSION_STARTED and copied from those). Then in the policy, i have a var assignment agent to copy those session.custom.username/password vars to session.logon.last.username/password. That gets me farther - the LocalDB auth agent at least checks the correct userid now. BUT - the password value appears not to have assigned. The password check always fails.

In the session report, I get an error msg like:

LOCALDB agent: (logon attempt:0) authenticate with '$CK$8JkcxNSl$6pu1Rjb3KxeNCSl7TmYsdQ==' failed

I'm not sure what that hash is ... but I do know I'm entering the correct password, and in the iRule that password is correctly present in the irule var that I assign to session.custom.password.

Hmm. Did something change in recent versions in session variable security protections or something?